Public Data Processing Agreement (DPA)
This Data Processing Agreement ("DPA") automatically applies to any Client who registers for, uses, or accesses the services of DDD Invoices, or signs any Agreement referencing this document. By doing so, the Client agrees to the terms of this DPA
Preamble
Client has commissioned the Service Provider with the provision of e-invoicing services. Performance of the services may require access to personal data of Client by the Service Provider. Art. 28 General Data Protection Regulation (GDPR) sets out certain requirements for such processing of personal data on behalf of Client. To comply with the statutory requirements, the parties agree as follows:
1. Subject of this Agreement
- 1.1 Service provision of the Service Provider is based on the Agreement and/or Terms & Conditions.
- 1.2 This DPA complements the Agreement in respect of data protection. Subject and term of the services to be provided by the Service Provider are set out in the Agreement and/or Terms & Conditions. In the event of conflicts, the terms and conditions of the Agreement shall prevail.
2. Scope, Purpose, and Provision of Data Processing; Categories of Data and Data Subjects
- 2.1 The scope and purpose of the Service Provider's data processing are set out in the Agreement and the related service description. Generally, the Service Provider provides e-invoicing services integrated into the Client system via an API.
- 2.2 The categories of personal data processed by the Service Provider are as follows:
- Invoice data, including information about issuer and recipient of an invoice and potentially names and contact details of contact persons of the issuer and/or recipient
The data subjects are:- Customers of Client (and potentially customers of Client's affiliates)
- Business partners of aforementioned customers (recipients or issuers of invoices)
- 2.3 The Service Provider shall process Client's personal data solely for the purpose of fulfilling the Agreement and in observance of Client's instructions. If the Service Provider processes personal data based on a legal obligation pursuant to Art. 28 (3)(a) GDPR, the Service Provider shall notify Client in advance, unless prohibited by law.
- 2.4 The Service Provider may engage subcontractors at any location, however, for subcontractors involved in activities of directly processing Client's or their Customers data, the Service Provider shall engage such subcontractors at locations in the European Economic Area (EEA) and/or in a third country, in order to provide the services for that region or country. The Client herby acknowledges the potential usage of the subcontractors in a third country on the subset of their or their Customers data in order to provide the compliant services for that area, including appropriate safeguards under Chapter V GDPR, such as Standard Contractual Clauses (SCCs).
- 2.5 The Service Provider shall observe and implement Client's instructions regarding the collection, processing, or use of personal data. Client may give such instructions at any time and at its own discretion, including instructions regarding the correction, deletion and blocking of data. The Service Provider is obliged to keep internal documentation of Client's instructions. The Service Provider shall immediately notify Client if, in the Service Provider's opinion, an instruction infringes applicable data protection law or regulations. Client shall provide instructions in writing (including e-mail).
3. Sub-Processors
- 3.1 Service Provider may, from time to time, engage subcontractors (including but not limited to infrastructure and technology providers), to meet the requirements of the Agreement. When engaging subcontractors, the Service Provider will notify and require each subcontractor to meet the obligations of this agreement. A list of all current subcontractors is listed in Annex 1 - Approved Subcontractors. Service Provider will notify the Client of any new potential subcontracts that would be involved in direct processing of Client's data, before authorizing them. If the Client does not accept the change and/or appointment of a Sub-processor, the Client has a right to terminate the parts of the Agreement affected by the change by notifying the Service Provider within 10 days of receiving a notification, with 90 days notice. In case a subcontractor is used, Service Provider is responsible for acts or omissions of his subcontractors to the same extent that Service Provider is responsible and accountable for its own actions or omissions under this Agreement and DPA.
- 3.2 When engaging subcontractors, the Service Provider will notify and require each subcontractor to meet the obligations of this agreement.
- 3.3 Upon request, the Service Provider shall provide Client with all necessary information to prove the compliance of the subcontractor with the obligations under data protection law.
4. Confidentiality and data secrecy
- 4.1 The Service Provider is obliged to observe the statutory provisions on data protection. Documents and data shall be secured against unauthorized disclosure. The Service Provider shall not acquire any rights of its own to the data made available to it. In particular, the Service Provider shall not be permitted to disclose personal data to unauthorized third parties or to make any other use of such data that does not comply with this DPA. The Service Provider shall be obligated to confidentially treat all knowledge obtained in the course of the contractual relationship, in particular of business secrets and data security measures. This obligation shall continue after termination of the contractual relationship.
- 4.2 The persons engaged by the Service Provider are prohibited from collecting, processing or using personal data without authorization (Art. 32 (4) GDPR). This applies to all persons engaged by the Service Provider with the data processing and fulfillment of this DPA or the Agreement, regardless of their status under labor law, in particular including freelancers and persons engaged by the Service Provider's subcontractors (such persons hereinafter referred to as "Service Provider Personnel"). The Service Provider shall oblige all Service Provider Personnel accordingly and ensure compliance with this obligation with due care. Furthermore, the Service Provider shall ensure that the Service Provider Personnel is committed to confidentiality or is subject to an appropriate statutory duty of confidentiality. These obligations must be formulated in such a way that they remain in force even after termination of the relationship between the Service Provider Personnel and the Service Provider. The Service Provider shall provide evidence of these obligations upon request.
5. Data protection measures and audits
- 5.1 The Service Provider shall be obliged to ensure the proper operation of the systems with which personal data are to be processed and to observe the principles for the processing of personal data pursuant to Art. 5 GDPR. The Service Provider shall monitor compliance and shall implement measures to be able to prove compliance in a suitable manner.
- 5.2 The Service Provider shall structure its internal organization in such a way that it meets the requirements of the GDPR. The Service Provider shall implement all necessary technical and organizational measures in accordance with Art. 32 GDPR, in particular the measures listed in Annex 2. The Service Provider shall undertake regular reviews of the effectiveness of the technical and organizational measures to ensure the security of the processing. The Service Provider shall provide Client with its current data protection and security concept, including documentation of implemented measures.
- 5.3 Client may audit the Service Provider's compliance with data protection law and agreements where there is a justified suspicion of non-compliance. The Service Provider shall reasonably support Client's audit provided at least 45 days' prior written notice is given, by providing necessary information and access to relevant systems and documents. Any audits shall be conducted during normal business hours, in a manner that minimizes disruption to the Service Provider's operations and does not unreasonably disrupt the Service Provider's business.
Client may authorize independent third-party auditors to conduct audits on its behalf, provided the third party is bound by confidentiality obligations and is not a direct competitor of the Service Provider. The scope and frequency of audits shall be proportionate to the nature and volume of processing activities performed by the Service Provider.
All costs associated with the audit, including fees for independent third-party auditors, shall be borne solely by Client. - 5.4 Upon Client's request, the Service Provider shall provide the information required pursuant to Art. 30 (2) to (4) of the GDPR. The Service Provider shall assist Client, provided that this does not unreasonably disrupt the Service Provider's business, in ensuring compliance with the obligations pursuant to Art. 32 to 36 GDPR taking into account the nature of processing and the information available to the Service Provider.
- 5.5 The Service Provider's data protection officer can be contacted using [email protected]. The Service Provider shall notify Client of a change without undue delay.
6. Notification obligations
- 6.1 In the event of disruptions, suspected personal data breaches (Art. 4 (12) GDPR), suspected security-related incidents, or other irregularities in the processing of personal data, the Service Provider shall inform Client without undue delay, at the latest within 72 hours of becoming aware of them. The notification shall contain the information specified in Art. 33 (3) GDPR to the extent reasonably available at the time of notification.
The Service Provider shall provide reasonable support to Client in fulfilling its reporting and notification obligations pursuant to Art. 33 and 34 GDPR.
The Service Provider shall promptly take commercially reasonable measures to address the incident or breach, secure the data, and mitigate possible adverse consequences. The Service Provider shall inform Client of the measures taken and, where applicable, request further instructions. - 6.2 Should the data be endangered by seizure or attachment, by insolvency or composition proceedings or by other events or measures of third parties, the Service Provider shall notify Client without undue delay. The Service Provider shall immediately notify all persons responsible in this context that the sovereignty and ownership of the data lies exclusively with the Client as the data controller within the meaning of the GDPR.
- 6.3 The Service Provider shall provide Client upon request with information insofar as Client's data is concerned. If Client is obligated to provide information to a data subject regarding the collection, processing or use of the data subject's personal data on the basis of applicable data protection laws, the Service Provider shall support Client in doing so.
- 6.4 The Service Provider shall inform Client without undue delay of inspections and measures by a supervisory authority or in the event that a supervisory authority investigates the Service Provider.
7. Deletion and return of data
The Service Provider shall return all data to Client at any time upon request (and upon termination of the Agreement without request), or – at Client's choice – delete the data and confirm the complete return or deletion in writing. The deletion shall be carried out in accordance with secure and state-of-art deletion procedures in compliance with data protection law, taking into account the level of protection of the respective data. A right of retention, for whatever legal reason, against the aforementioned claims of Client shall be excluded.
8. Data subject rights
- 8.1 Data subject rights shall be asserted against the Client. The Service Provider undertakes to forward all data subject requests (including e.g. regarding the correction, blocking or restriction of processing or deletion of data) to Client without undue delay.
- 8.2 The Service Provider shall reasonably support Client in fulfilling data subject requests and rights laid down in Chapter III of the GDPR, in particular regarding information obligations (notification, provision of information), correction, blocking or restriction of processing and deletion of personal data.
9. Term and termination; miscellaneous
- 9.1 This DPA automatically terminates upon termination of cooperation, deletion of the Client's account or expiration of the Agreement. However, this DPA shall remain in force as long as the Service Provider possesses or otherwise has access to personal data of Client.
- 9.2 This DPA shall be governed by and construed in accordance with the laws of Slovenia, excluding their rules governing conflicts of laws. Any disagreements or disputes arising in connection with the subject of this DPA will be resolved by mutual agreement between the parties. If they cannot reach an agreement both sides agree to resolve the issue through arbitration instead of going to court. A neutral arbitrator will hear both sides and make a final decision. Both parties must follow the arbitrator's decision.
- 9.3 If any provision of this DPA is held by a court of competent jurisdiction to be unenforceable or contrary to law, then the remaining provisions of this DPA, and/or the application of such provisions to persons or circumstances other than those as to which it is invalid or unenforceable shall not be affected thereby, and each such provision of this DPA shall be valid and enforceable to the extent granted by law. The parties hereby undertake to replace invalid or unenforceable provisions, and fill gaps, by agreeing on appropriate provisions which are as close as possible to the economic purpose of the invalid or missing provision.
Appendixes
Annex 1 – Subcontractors
Annex 2 – Technical and organizational measures
Annex 1 - Subcontractors
The following subcontractors are approved by Client:
| Company(name) | Services provided by the company(general description) | Location of the processing |
|---|
| Contabo | Main service hosting and data storage | European Union |
| Cloudflare | Public network security | European Union |
| Vercel | Website hosting and CDN | European Union |
| Google | Storage of customer agreements | European Union |
| A-cube | Local e-invoicing service | European Union |
| Invoice Portal | Local e-invoicing service | European Union |
| Link4 | Local e-invoicing service | Australia |
Annex 2 - Technical and organizational measures pursuant to Art. 32 GDPR
1. Data Centres and Network Security
(a) Data Centres.
Infrastructure. Service Provider uses data centres inside the European Union. Service Provider stores all production data in physically secure data centres meeting recognised international standards. Redundancy. Infrastructure systems include redundancy to eliminate single points of failure and minimize the impact of anticipated environmental risks. Processes are implemented to allow the Service Provider to perform certain types of preventative and corrective maintenance without interruption. Power. Data centre electrical power systems are designed to be redundant and maintainable without impact to continuous operations, 24 hours a day, 7 days a week. Backup power is provided by various mechanisms such as uninterruptible power supplies (UPS) designed to provide transitory power at full capacity, for a number of minutes until generator systems take over which are designed to automatically start in seconds and are capable of running at full capacity for a period of days until normal power supply is resumed.
(b) Networks and Transmission.
Data Transmission. Data centres are connected to the internet backbone via high-speed links providing secure and fast data transfer between them and users of the Service Providers services. External Attack Surface. Service Provider employs intrusion detection measures to protect its external attack surface. Service Provider considers potential attack vectors and incorporates appropriate defence measures to mitigate them. Intrusion Detection. Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. Service Provider's intrusion detection involves: (i) controlling the size and make-up of Service Provider's attack surface through preventative measures; (ii) employing intelligent detection controls at data entry points; and (iii) employing technologies that automatically remedy certain dangerous situations. Incident Response. Service Provider monitors a variety of communication channels for security incidents, and Service Provider's security personnel will react promptly to known incidents. Encryption Technologies. Service Provider uses HTTPS encryption for all data in transit.
2. Access
(a) Data Centres.
On-site Data Centre Security Operation. Service Provider's data centres maintain an on-site security operation responsible for all physical data centre security functions 24 hours a day, 7 days a week. Data Centre Access Procedures. Only authorized individuals are allowed entry to Service Providers data centres. ID and relevant authorization are required for access. In general access is strictly limited and determined on a case by case basis.
(b) Personnel and Access Control.
Personnel. Service Provider has, and maintains, a security policy for its personnel, and requires security training as part of the initial onboarding and subsequent updates for its personnel. Service Provider personnel are required to conduct themselves in a manner consistent with the company's guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Service Provider personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Service Provider's confidentiality and privacy policies. Access Control and Privilege Management. Service Providers personnel are only granted access to systems and data they need in order to execute their role and responsibilities and meet the service requirements of the Service Provider.
3. Data
(a) Data Storage and Isolation.
Service Provider stores data in a multi-tenant environment on Service Provider contracted servers. Subject to any Instructions to the contrary (e.g. in the form of a data location selection), Service Provider replicates Customer Data between multiple geographically dispersed data centres. Service Provider also logically isolates Customer Data.
(b) Data Retention.
Data submitted to the Service Provider in connection with execution of its services is retained for as long as the customer requires as part of the contract terms and how the customer configures the systems delivered to them by the Service Provider. Data submitted to the Service Provider for administrative purposes for example day to day communication, invoicing and payments is retained for as long as is required to meet the obligations of the contract, legal and regulatory obligations.
(c) Decommissioned Data Storage Device Erasure Policy.
Devices containing data may experience issues that require them to be decommissioned. Each device is subject to a series of data destruction processes. In the event of hardware failure the device will be physically destroyed.
(d) Encryption and Hashing.
Encryption and hashing methods use NIST approved methods and are applied in accordance with use-cases. Backups are encrypted, data in transit is encrypted, data stored in databases is encrypted or hashed where appropriate for example credentials.
4. Subprocessors
Before onboarding Subprocessors, Service Provider conducts an audit of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to the scope of the services they are engaged to provide.
